Chapter 9. Protecting data with certificates

 

Are you comfortable entering your credit card information into a website? How about one that has no protection or encryption? Protecting sensitive data from prying eyes as it flies from your customer’s computer to your website is a top responsibility of the administrator.

Secure Socket Layer (SSL) is an encryption technology created by Netscape to protect data from being stolen by encrypting the communication between the customer and the server. Every time you add https:// to a URL, you’re using SSL encryption to protect your confidential data. The web requests are encrypted and (usually) sent through the firewall’s default port of 443 to the website, which responds back over the encryption tunnel, as shown in figure 9.1.

Figure 9.1. SSL (and certificates) encrypt transmissions to protect data from hackers.

To create an SSL encryption tunnel for HTTPS, you install a certificate—often purchased from a Certificate Authority (CA) or self-made. The certificate has an encryption mechanism that protects your customer’s data from being stolen. The science behind this is called Public Key Infrastructure (PKI), which is beyond what we can cover here. But correctly obtaining, installing, and configuring certificates for your websites is what you’ll do in this chapter.

9.1. Not all certificates are the same

9.2. Implementing certificates on a single IIS server

9.3. Securing your websites

9.4. Lab

9.5. Ideas to try on your own